"Hardening" MS2-MAX 1.5???

[earl_W]

Hi guys,

I've got a MAX 1.5 site about to go live and as part of this, we're being "tagged" as a supplier on a full page newspaper ad in Australia of what's going to be a popular, but violent game....(no, it's not Manhunt.)

I'm sure it's going to attract a few people who'll take objection to it.

Leaving aside the pros and cons of this sort of stuff, has anyone got some tips as to ways to hack proof as much as possible an MS2-MAX 1.5 site?

It's running on a dedicated Redhat Enterprise 3 system with all the patches and updates, but I'm more interested in the shop software than the server side of things.

Any suggestions?

Thanks,

- Earl White

[mfleeson]

Hi

Apart from the obvious ones like use htaccess for the admin, you could do any of the following:
a) change the default directories to something more obscure, it would make it harder to try and break /catalog/admin if it wasnt there
b) make sure that in page header information and generally in the html source generated it does not identify itself as oscommerce, that way its harder to identify key files.
c) if you want to make it really difficult, rename key files like product_show to funca etc.
d) make sure your machine is running a firewall that only allows mysql access from the localhost and other remote fixed ip's that need access, otherwise lock it all down.
e) if possible put your database on a different machine that has different passwords on it. That way if someone breaks oscommerce and gets it to inject sql to dump the password file or any other system file so they can get at it, they'll only get a local closed system instead of the actual webserver.

Any questions, just hollar.

Cheers

Mark
(Technical consultant to www.cd-wow.com - now that's a security nightmare!)

Those are the key things